December 7th 2023
In the next of the Better Security, Better Care specialised webinar series, we explored the importance of including data protection and cyber security in business continuity plans. In partnership with colleagues from the National Cyber Resilience Centre, Buckinghamshire Council and the Institute of Public Care, we looked at why this is an important issue for care services and how to develop a robust business continuity plan.
You can access a full recording of the session here.
Why does data protection and cyber security matter?
Statistics from the national cyber security breaches survey 2023 tell us that:
- 32% of UK organisations had a cyber security breach or attack in the last 12 months
- 21% of those had at least 1 breach or attack per week
- 19% perform cyber drills
- only 52% of UK organisations have a formal incident response plan in place
Response planning is crucial. It’ll help you to form a plan in the incident of a data breach or cyber attack and will give you the tools you need to minimise the impact. This is where a strong business continuity plan comes in handy.
Implementing a robust business continuity plan
You probably already have a plan which details what you would do in the event of a fire or a flood. But does your plan detail what you would do in the event of a cyber attack? How different would the impact be?
Digital Care Hub have a very handy template you can use to implement data and cyber security into your business plan. The template looks at your digital systems and devices, encouraging you to think of all the different systems you use and what alternatives you have in place if you were unable to access any.
It also explores at least 5 different scenarios, giving you an indication of what you would need to consider for each scenario. For example, the screenshot from the template below prompts you to consider what you would do if a supplier had a fault with a critical piece of software:
It’s really important that after you develop your plan, you:
- make sure that staff are aware of it and what to do
- update your policies and procedures to match your plan
- test your draft plan to see if the actions would really work in practice
- test your plan at least once a year
In the webinar, we also heard from Matilda Moss, head of integrated commissioning at Buckinghamshire Council. She highlighted some key learnings from cyber incidents impacting commissioned providers. Impacted care services with a strong business continuity plan who were able to implement it in a timely manner significantly reduced the impact to care delivery. Those without one, or those who didn’t implement it, suffered far worse disruption.
Testing your business continuity plan
It might feel silly, but mimicking the actions of a scenario is the best way to test if your plan works. For example, if you wanted to test what would happen if you had broadband failure or a power outage, you could unplug the telephones, turn off the WiFi, and unplug devices in an office to simulate a power cut.
You would then refer to your plan and see if the steps you put in place would actually work as an alternative.
If you wanted to test what would happen in the event of a cyber attack, you could simulate a Phishing attack and check that staff would know what to do in the event of one, as well as the signs of what to look out for and how to prevent one from happening again.
Don’t forget to record your test so you can refer back to results and make any necessary changes.
Use the DSPT to check and review your data protection and cyber security arrangements
The DSPT is a helpful checklist that all CQC registered providers should complete at least once a year. It’ll demonstrate that you’re doing everything you can to protect your information and can also be used as evidence in regulatory inspections.
The DSPT will ask you if you have a business continuity plan that covers data and cyber security, and whether or not you test that plan:
Better Security, Better Care offer free, national support to all care services using the DSPT, and local support partners in your area can give you tailored, expert advice.
Staff training is also paramount when it comes to improving your data protection and cyber security infrastructure. You can access a free elearning resource to train your staff on key data protection and cyber security issues.
Photo by Brett Jordan on Unsplash
View all News